Google’s Mark Risher: ‘Phishing attacks are getting more targeted and insidious’

1 Feb 2019

Mark Risher. Image: Google

As spam and automated phishing attacks proliferate, Google’s fraud-fighter Mark Risher warns that it is the insidious, targeted, individual attacks that are the most frightening.

Mark Risher is Google’s director of product management, identity, account security, and spam and abuse – or, in simple terms, he is Google’s chief fraud-fighter and an authority on the future direction of email security and passwords.

The former ‘spam czar’ at Yahoo has also founded and sold two of his own start-up companies, one in consumer and one in enterprise software.

‘We believe that federations and products like Sign In With Google really improve security for the industry as a whole, and the developers and industry that work with us and their users are in a better place’

As well as playing a leading role in the internet giant’s policy and product direction on federation and authentication, Risher has regularly presented worldwide to government, industry and consumer groups about spam, abuse and cybersecurity issues.

Tell me about your own role and responsibilities in driving tech strategy.

I work on everything around Google accounts – getting them, signing into them, new form factors like Google Voice, signing into a watch, a car, a TV – you name it. It is important to keep the balance and say while no bad people can get into your account, the other extreme [is] to make [information available] at the tip of your fingertip, but there are security and privacy concerns. So that balance is what we strive on.

We still haven’t found a better security model than the password, have we?

Passwords aren’t trivialities; there’s a lot that relies on them but hopefully you and your readers are dealing with them less frequently. We have made big investments in Autofill on Google Chrome, including its recent release as well as the Android platform and other technologies like Two-Factor, Google Prompt, Security Key – all of these work together. The way that we stay in front of it is by really careful threat modelling and understanding what is the bad thing that people are attempting out there, but also really going deep into the human factors like usability concerns and what are people really likely to do.

Service such as signing in with your Google or Facebook account are overtaking passwords as a way to access various other web or app services. But, considering the awful breaches of 2018, do these not pose a risk, too?

We want to improve things – not just for Google and our users, but also people right across the entire technology ecosystem – because everything is connected together, we all have the same adversaries and we all need to band together to defend.

There has been this discussion of how the federated identity products create some extra vulnerability, and I disagree with that.

The way that the majority of websites right now – and services and apps – manage authentication is that they spin their own systems from scratch and they oftentimes ask for an email address and send a link for you to log in and prove you are the right person.

In that world, it is more dangerous than being federated. Being able to click the link and being able to break into a lot of the site is, in fact, the same type of vulnerability.

You make things better with the Sign-In With Google scenario because the third-party developer no longer needs to develop their own authentication system or a database of passwords and credentials that themselves could be targeted. The website owner no longer needs to implement more advanced forms of authentication.

We believe that federations and products like Sign-In With Google really improve security for the industry as a whole, and the developers and industry that work with us and their users are in a better place.

How insidious are hackers, fraudsters and phishers becoming?

Spam and phishing continue to rise and there are plenty of low-grade, non-convincing automated messages being attempted every second of every day. The problem is, we block 99.9pc of it but no one cares about that. They care about the .01pc that might get through and, while Gmail and our Google services are better than anybody else’s and work harder than anybody else’s, that’s where we want to focus our attention.

What we are contending with is stuff that is not automated. Very few people are falling for it and our systems are blocking it, but the concern you also alluded to is more careful targeted messages where attackers are doing some research in advance. Phishing attacks are getting more insidious and targeted. They are learning about the intended target and probably selected the target for some particular reason that they think will be remunerative. And in those cases, you will get something much more remunerative, much more convincing and believable, and that’s what we are putting our attention into these days.

We’ve seen government agencies and businesses targeted by successful but very simple, targeted phishing attacks. You can’t defend against stupid. Do you despair about this?

I would never characterise it so negatively because people are actually wonderful. But there are limits to what we can do and there are ways that humans have evolved to find patterns and be trusting, and I hope that doesn’t change. I don’t want a world where everything has to be treated with the utmost scepticism, but also, as someone building systems and developing products, I don’t want to assume that users are always going to take the correct steps and be good at everything.

One of the bits of advice that I hate is when news articles will say beware of suspicious links. The whole web is built on clicking on links and it is impossible to expect anyone, even experts, to tell what is a suspicious link beforehand.

So, consequently, we try to build products that are secure by default and don’t expect users to be hyper-vigilant and don’t expect them to take steps in advance.

An example of that is how we approach multifactor authentication.

We know there are billions of passwords out there in the wild. We use the Google search crawlers to index the web and, in the last few weeks, found 3.3bn unique username and password pairs; we have known this a long time and never allow a password to be sufficient just by itself.

More and more of the time, even if someone knows your username and password and phone number, at Google we stop them getting into your account by doing secondary challenges. We are effectively doing multiple-password authentication for all of our usernames, like sending a code, a Google Prompt or more subtle things like confirming on a device we’ve seen before, or a Titan security key that guarantees new access can physically be granted if it is physically connected to a computer to verify.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years